5/11/2011
What are IT General Controls? 5 Areas for Review Case Study
Ed Tobias, CISA, CIA, CFE May 11, 2011
What are IT General Controls (ITGC)?
What is a “control”? •Process developed by management •Provides reasonable assurance: •Operations – effective & efficient •Reliable financial reporting •Compliance – laws & regulations
What are IT General Controls (ITGC)?
What are IT General Controls (ITGC)? •Process developed by management •Provides reasonable assurance that: •Operations – effective & efficient •Reliable financial reporting •Compliance – laws & regulations
What are IT General Controls (ITGC)?
•Used to manage risks “control someone’s behavior” •Examples: •Policies & procedures •Approvals •Reconciliations •SoD (Segregation of Duties)
What are IT General Controls (ITGC)?
What’s the difference???
•Used to manage technology risks
1
AGENDA
IT GENERAL CONTROLS & THE PREVENTION OF FRAUD
5/11/2011
What are IT General Controls (ITGC)?
•ITGC affect everything based on technology • Passwords • Program Changes / System updates • Roles / SoD • Backups / Recovery • 3rd-party providers
What are IT General Controls (ITGC)?
3 main technology areas: 1. System (servers) 2. Network 3. Applications
What are IT General Controls (ITGC)?
•ITGC are part of the entire system of internal control
What are IT General Controls (ITGC)?
•ITGC provide assurance that information systems are working as intended •Rely on the information •Legal / regulatory compliance •Effective / efficient operations
What are IT General Controls (ITGC)?
What are IT General Controls (ITGC)?
Center for Internet Security •Applying ITGC consistently
Without effective ITGC, where is the fraud … • Financial statements schemes • Asset misappropriation schemes • Fraudulent disbursements • Theft of assets/inventory • Bribery / Conflicts of interest
•Protects against 85%+ of top vulnerabilities reported by: •NIST •FBI •SANS Institute •Computer Security Institute
2
5/11/2011
What are IT General Controls (ITGC)?
What are IT General Controls (ITGC)?
Without effective ITGC, where is the fraud … • Theft of Intellectual Property • Financial Institution Fraud • Check & Credit Card Fraud • Insurance Fraud • Health Care Fraud • Securities Fraud
Without effective ITGC, where is the fraud … • Consumer Fraud – Identity Theft • Computer / Internet Fraud • Public Sector Fraud
What are IT General Controls (ITGC)?
5 Areas for Review
Without effective ITGC, where is the fraud …
1. 2. 3. 4. 5.
Almost everywhere since we use technology • Store information • Make decisions
IT Entity-Level Change Management Information Security Backup and Recovery 3rd-party IT Providers
5 Areas for Review
5 Areas for Review
Normally done by IT Auditors • Technology skills/background • Can be performed by • Operational/financial auditors • IT Security / Compliance
Need to determine the “key information technology risks” • Framework (NIST, COBIT) • IT Management
3
5/11/2011
5 Areas for Review
5 Areas for Review
What 3-5 things keep them awake at night?
1. IT Entity-Level • Need to understand IT involvement Assess IT complexity
• • •
Low – COTS, 1 server, 1-15 users High – ERP and/or customized, 4+ servers, 30+ users
5 Areas for Review
5 Areas for Review
1. IT Entity-Level • Impact to the system?
1. IT Entity-Level • Policies & procedures • Acceptable Use • Found in Employee Manual
•
Mitigating controls?
5 Areas for Review
5 Areas for Review
What about … • USB Thumb Drives
What about … • Smartphones
Your data has legs!
4
Your data has legs!
5/11/2011
5 Areas for Review
5 Areas for Review
What about … • Rogue wireless access points Your network is OPEN!
•
Acceptable Use • Information Security responsibilities YOU are responsible for your company’s data!
5 Areas for Review
5 Areas for Review
1. IT Entity-Level • Annual Technology Plan • Annual Budget • Prioritization of IT projects
2. Change Management • All changes to system • Properly authorized • Securely implemented • SoD is important!
5 Areas for Review
5 Areas for Review
2. Change Management • Vendor does changes • Access always on? • Logging access times? • Review key reports before/after changes?
2. Change Management • Key Spreadsheets • Locked down? • Protected formulas? • Restricted access?
5
5/11/2011
5 Areas for Review
Impact of Spreadsheet Errors • Data entry error of $118,000 • $11M severance error • $30M spreadsheet error • $644M misstatement
5 Areas for Review
3. Information Security • Physical Security • Passwords • User IDs • Roles in the system • Administrators / Super Users • Logging • Encryption
Statistics from 2006 ACL White Paper – Spreadsheets
5 Areas for Review
5 Areas for Review
3. Information Security • Wireless Access
3. Information Security • Physical Security
5 Areas for Review
5 Areas for Review
3. Information Security • Password best practices (NIST) • Password length - 8 • Complex passwords – 2/4 • Upper / lower case • Numeric (0-9) • Special (!,@,#,$)
3. Information Security • Password best practices (NIST) • Password history – 90 days • Suspended after 3 tries • Change initial password • Password history – 8
6
5/11/2011
5 Areas for Review
5 Areas for Review
3. Information Security • Password best practices (NIST) • Mitigating controls • No dictionary words • Regular training / awareness
3. Information Security • User IDs • No sharing • No generic IDs (i.e. Clerk1) • No default IDs/passwords • CIRT.net – 444 vendors, 1800+ passwords
5 Areas for Review
5 Areas for Review
3. Information Security • Roles in the system • Simplify security administration • Regularly reviewed?
3. Information Security • Administrators / Super Users “Keys to the Kingdom”
5 Areas for Review
5 Areas for Review
3. Information Security • Administrators / Super Users • Limited number • Required for job duties • Audit trail / logging • Use only when necessary • Periodic review
3. Information Security • Logging • Slows down system • Critical changes/info • •
7
Protected from Admins Regularly reviewed
5/11/2011
5 Areas for Review
5 Areas for Review
3. Information Security • Encryption • Data at rest
3. Information Security • Encryption • Data in transit
WHY? • Hacked • Internal theft • Backups are compromised
WHY? • Packet sniffing - Wire theft • War driving
5 Areas for Review
5 Areas for Review
3. Information Security • Wireless Access • Wireless Access Policy • Encryption • MAC Address filtering
4. Backup and Recovery • Encrypted? • Limited access
5 Areas for Review
5 Areas for Review
5. 3rd-party IT Providers
5. 3rd-party IT Providers • Outsource anything • Servers (Data Center) • Virtual Servers on demand • Applications • Virus scanning
“Data in the Cloud”
8
5/11/2011
5 Areas for Review
5 Areas for Review
5. 3rd-party IT Providers • SAS70 • Replaced by SSAE16 Type 2 • Effective June 15, 2011 • Financial Reporting
5. 3rd-party IT Providers • SOC 2 • Security • Availability • Processing integrity • Confidentiality • Privacy • Risk-based control framework
Case Study
Case Study
Profiled in Nov/Dec 2010 and Jan/Feb 2011 issues Fraud mag.
•
•
•
Deputy treasurer/controller issued $236,000 in checks through authorized maker scheme Detected through manual reconciliation & computer exception report
Case Study
• • •
$7,148 check cleared the bank but not an outstanding check Uncashed check of $7,148 to a vendor was found in his office Clerk noticed missing exception reports Looked at IT system changes for days w/missing reports
Case Study
Staff cuts left him as the authorized person for changes • IT discovered 2 inactive, unauthorized program changes • $215,846 • $13,930 •
What went wrong?
9
5/11/2011
Case Study
• • •
Weak IT Entity-Level controls Improper SoD Poor change management
•
Weak controls in payment dept
Questions
Contact Information
[email protected] http://www.linkedin.com/in/ed3200
10
